Offensive OSINT season 1 - Summary
Finally, we made it. Around 3 months, 8 episodes and many hours of researching suspicious cyber activities and other OSINT rabbit holes. This article will sum up first season, what we have learned and what each research was about.
I hope it will make you interested to sign up for next season.
OSINT & RDP
It was one of the simplest article to write and good warm-up for further adventures. It presents how to set up a basic Python environment with help of Pycharm and how to connect it to Elasticsearch. As a real case study I took detection and monitoring publicly exposed servers with Remote Desktop Protocol open in the organizations such as hospitals.
Included code uses Shodan for detection and gmail as a email provider to monitor and report new findings every week/month. Also, another useful tricks was presented to target RDP like credential stuffing .
OSINT & DEOBFUSCATION
This was one of my favorite one. Unusual rabbit hole that was used as a real case to show deobfuscation methods of javascript files. We went from posts on obsolete blogs to child abuse material that was distributed across different sites and was hosted anonymously in the cloud. The campaign has been reported to Pastebin and then FBI and they are working on it, that's all what I got.
We learned useful tricks in terms of deobfuscation and dealing with complex obfuscated network structure used by child abusers. I definitely want to continue this topic in next season, what I presented is just small percentage of what is really going on. It goes much deeper, the are forums, chans and darknet, I will have to gather and analyze a lot of data to show you real scale of this network, even in clearnet.
OSINT & DISINFORMATION
Pattern for disinformation related investigations is almost the same in every case. If you don't know where to start, you should choose any current and controversial topic on social media, most popular platform for disinformation campaigns is Twitter. It could be political or military matter, depends what you like or who are you working for.
In this episode, we searched for disinformation in presidential election in Poland, in polish social media platform - Wykop.pl. It explains basics of OSINT and disinformation, how to track such cases, what to look for and how to establish connections.
This article was also published on polish security portal Zaufana Trzecia Strona
OSINT & CRITIAL INFRASTRUCTURE
This was a continuation of really long term investigation into internet facing Industrial Control and Internet of Things devices all around the world. The main goal of article was to scan, find and locate any device that, if exposed, could potentially be dangerous for national security and people's lives at the end.
The research was based on tool I created - ꓘamerka. It's a web application ICS, IIoT, IoT reconnaissance tool that has everything what you need in terms of industrial investigations. I will continue this topic as well, since I will be presenting ꓘamerka on x33fcon. I plan to scan whole world and make database with ꓘamerka public for subscribers.
OSINT & CORPORATE ESPIONAGE
I like to reverse various things from javascript obfuscated code to corporate structure of adult entertainment organization. Corporate espionage is being done by many companies that want to know what they competitors are up to.
This episode explains how to map and visualize corporate structure of any organization including daughter companies and subsidiaries. It also show how to gather data about organization and officers with help of python and OpenCorporate API. Technical research of Mindgeek assets will be part of season 2.
OSINT & OFFSHORE ORGANIZATIONS
It's another topic where OSINT can help a lot. Article describes a deep dive into leaks from Panama & Paradise Papers and Bahamas leaks - how to establish connections, where to look for officers and other related companies. We search through documents from Distributed Denial of Secrets and International Consortium of Investigative Journalists.
In addition, interactive D3js network graph has been open sourced to use it for any similar investigation.
OSINT & DATA LEAKS
LeakLooker is a tool that can deliver you entertainment for hours. You can look for leak from 16 possible sources, including database, source code or private secrets leaks. It is another, after Kamerka, long-term project that will be continued. There are still many type of sources that need to be added to make LeakLooker even more powerful.
OSINT & HUMAN TRAFFICKING
It's another deep rabbit hole where OSINT and Python skills are super useful. This article is only an introduction to the human trafficking problems online that law enforcement and private companies have to deal with. It shows history of Backpage, current sites where human trafficking may happen and how to bite this topic in terms of your own OSINT & Python investigation.
Next parts definitely will be subject of season 2
OFFENSIVE OSINT SEASON 2
Art Brut (Outsider art) is art by self-taught or naïve art makers. Typically, those labeled as outsider artists have little or no contact with the mainstream art world or art institutions. Often, outsider art illustrates extreme mental states, unconventional ideas, or elaborate fantasy worlds.
This description suits best for next season, it will be kind of OSINT Art Brut with unconventional approach.
It's hard to find similar blog as Offensive OSINT which mentions variety of subjects based on real live scenarios combining Open Source Intelligence, Python and analyst skills. As you might see, first season touched fragile topics, sensitive material and general truth seeking in cyber world.
So, I would like to continue in this same way and want it to be eyes opening OSINT experience for everyone who is interested in investigations and want to learn process, methodology and technical skills.
Unfortunately, I had no luck with cooperation with different infosec people and organizations regarding any of my projects but I still want to continue the series. In this case, I decided to move on and started a second season for paid members only, if you still want to read my OSINT journey across dark Internet corners subscribe for season 2.
It will have ~8 episodes and take 3-4 months. I already made a list of topics that will be included in next season (random order).
- Mindgeek part 2 - Techical OSINT mapping - General techniques used to find footprint of company
- Human trafficking part 2 - Proof of Concept Thorn-like tool - mentioned in episode 8
- Human trafficking part 3 - Recreating social path of known human traffickers. I plan to resurrect my old tool SocialPath and make it as best as I can.
- Deeper dive into CP network described in episode 2. There are plenty of distributed data across many network, how to deal with it?
- State of Industrial Control Systems in the world. I'm thinking about new updates to ꓘamerka and I will check each country in the world to show you the most spectacular findings in terms of ICS and IoT.
- LeakLooker is a next topic that never ends. There are still a lot of new types and sources to implement to catch all possible data leaks. I can't wait what we will find this time.
- There is a topic I always want to investigate but had no time enough. It will be bonus one.
Honestly, I don't know how far we will go so it might be more parts of some episodes. In addition, if you have any subject to investigate, let me know, I accept the challenge.
I believe there are people with similar mindset that are curious about what is really going on and how you can fight with this. It is also great opportunity to gather all the people that think in similar way and share interesting intel. Let me know if you need access to any of my tools, I will add you to the private github repository.
You can sign up below.